Web Programming, Linux System Administation, and Entrepreneurship in Athens Georgia

Traceroutes time out after turning on an iptables firewall

On many of the firewalls that I administer, the machine fails to respond to a traceroute. The traceroute would get the entire way to the host, and then fail to respond when it hit the host. I have messed with this on and off for a while, and finally came up with the problem and a solution.

First, I tried to make sure that the firewall was open to receive ICMP packets. I use these command to permit a few specific ICMP types:

However, just enabling those didn’t allow traceroutes to work correctly. There is also an ICMP type 30 for traceroute, but enabling that never got it working for me

So, I had to dig a little deeper into how traceroute works. What it does, is send a UDP packet to a port that it doesn’t expect to be open. The host then should send an ICMP ‘Unreachable’ packet back to the originating machine.

Turns out that the firewall rules that I was using blocked all incoming UDP requests (unless they were specifically allowed). This made it so that the machine never received the UDP request because the firewall blocked it.

Most traceroute implementations start sending requests on UDP port 33441, and then increment the port number sequentially for each one that it sends out. So I added this firewall rule to allow these packets through:

The rule just stops the firewall from dropping the packets before they get to the kernel. Since there is nothing listening on the ports, it will then reply with the ICMP ‘port unreachable’ packet as it normally would.